Data Privacy as a Business Enabler
•Transferir como PPTX, PDF•
2 gostaram•1,381 visualizações
GDPR is all about data privacy. There are a number of drivers for privacy, of which the GDPR is just one. You need to get this right to protect your reputation with key stakeholders (eg press, consumers, customers, suppliers, vendors), and doing that can lead to new business opportunities for you. But it’s not easy. There are some challenges. Data is growing, it’s mobile, it’s stored in places you might not know about (the cloud) and also no-one owns it in your organisations. In parallel, data is valuable so at risk of theft by people both within and outside your organisation. Symantec's ISTR research shows that 49% of data breaches are as a result of an external threat. So you need to look holistically at the issue.
Recomendados
Recomendados
Mais conteúdo relacionado
Destaque
Destaque (11)
Mais de Symantec
Mais de Symantec (20)
Último
Último (20)
Data Privacy as a Business Enabler
- 1. Data Privacy as a Business Enabler
- 2. Copyright © 2015 Symantec Corporation The Drive for Data Privacy 2 Lack of Business Ownership Data Growth Emerging Technology Regulations Lack of Visibility Evolving Threat landscape Press Headlines Reputation Business Opportunity Customer Expectations Drivers Inhibitors Copyright © 2016 Symantec Corporation
- 3. Copyright © 2016 Symantec Corporation 3 Privacy most Important when Customers choose products or services Symantec State of Privacy Report 2015 https://www.symantec.com/content/en/us/about/presskits/b-state-of-privacy- report-2015.pdf. Delivering great customer service Keeping your data safe and secure Delivering quality products / services Treating their employees and suppliers fairly Being environmentally friendly 82% 86% 69% 56% 88%
- 4. Not all Organisations have the same level of Consumer Trust for Securing Data 4 https://www.symantec.com/content/en/us/about/presskits/b-state-of-privacy-report-2015.pdf. 69% 66% 45% 22% 20% 10% Hospitals / medical services Banks Government Technology companies (i.e. Google, Microsoft) Retailers (Including online shops) Social media sites (i.e. Facebook, Twitter) Organisations whose business models are based on data (tech companies and social media companies) appear less trusted to keep customer data completely secure Data Trust Chain Building Trust – Best Practices for Protecting Data in the Cloud
- 5. European Data Protection Regulation Updating European Privacy Legislation Copyright © 2016 Symantec Corporation 5
- 6. EU General Data Protection Regulation (GDPR) 28 Interpretations of the Data Protection Directive One Data Protection Regulation Harmonized across all EU member states TODAY: 2018: Copyright © 2016 Symantec Corporation 6
- 7. Scope of the GDPR Copyright © 2016 Symantec Corporation 7 Defines Personal data Legal basis for processing Embedding privacy Data security PROTECT PERSONAL INFORMATION THROUGH ITS LIFECYCLE
- 8. Principles of data collection Fairly and lawfully Receiving consent Relevance Proportionality Types of data Collect Retain Duration Types of data Secure People Process Technology Data loss Permission applies to: Specific data Specific purpose Notify of changesProcess Manage Retain & Secure Information lifecycle Management of: • Access • Right to rectify data • Data destruction policy • Data transfers • Applicable rules GDPR is about data governance Copyright © 2016 Symantec Corporation 8
- 9. Copyright © 2015 Symantec Corporation 9 Business Concerns with the GDPR Accountability Information Security Cloud and International Data Transfer Penalties for Breaking the Law PROTECT PERSONAL INFORMATION THROUGH ITS LIFECYCLE Copyright © 2016 Symantec Corporation 9
- 10. Copyright © 2015 Symantec Corporation 10 What is accountability? Demonstrate Compliance Appropriate Policy, Process and Technology Data Protection Officers Privacy Impact Assessments Privacy by Design and by Default Effective, enforced & documented Policies. Accountability cannot be transferred or outsourced Copyright © 2016 Symantec Corporation 10
- 11. Copyright © 2015 Symantec Corporation 11 Information Security Improved Security Requirements Encryption and ID management Requirement to Secure Private Data Effective Detection and Response Copyright © 2016 Symantec Corporation 11
- 12. Myth Reality 12 Cloud & Data Transfer Myth Busters It’s illegal to send EU data outside the EU Data can be transferred outside the EU subject to strict conditions. The flow of Personal Data within the EU is in principle “freely allowed” Organisations need Safe Harbor to transfer EU Personal Data to US There are several mechanisms to enable the transfer of EU Personal Data to the US Data Privacy legislation for data residency requires Personal Data to be stored in a specific country. Storage of EU Personal Data is allowed anywhere within the EU and not limited to a single EU country. There may be restrictions but not from data privacy legislation. IP addresses & log-files are forms of Personal Data. Several jurisdictions in Europe treat IP addresses and other log files as Personal Data.Copyright © 2016 Symantec Corporation 12
- 13. 13 Penalties and Notification 4%Global Annual Turnover Enforcement by national Data Protection Authorities 72 hours to notify of a breach once aware Copyright © 2016 Symantec Corporation 13 Whichever figure is higher €20m Up to Up to
- 14. Preparing for the GDPR Embracing Privacy by Design Copyright © 2016 Symantec Corporation 14
- 15. Copyright © 2015 Symantec Corporation 15 Key Implications NeedRealizationImplication GDPR will be enforced by 2018 Fines will be up to 4% Revenue or €20m Breach notification will be 72 hours It could take a long time to get ready GDPR compliance isn’t a tick box exercise Response investigations can take weeks to months Build on what you’ve already got so you can start early Data Governance and Privacy by Design give value Effective Detection and Response to attack is Critical Copyright © 2016 Symantec Corporation 15
- 16. Starting Questions for the GDPR Do you know what personal data you process? Yes No Do you know where it is and how it flows in the organisation? Yes No Do you consider privacy at every level? Yes No Do you think user / data subject first in security? Yes No Have you reviewed your information risk management process for data privacy? Yes No Have you reviewed your security controls against privacy requirements? Yes No Do you have robust detection and monitoring processes? Yes No Have you tested and implemented your response plans including notification and external communication? Yes No If you answered No to any of these then you need to start planning for the GDPR
- 17. Keep it User-Centric Privacy as the default setting Privacy Embedded into the Design Visibility & Transparency – Keep it Open Avoiding False Dichotomies – e.g. Privacy vs Security Full Lifecycle Protection of Information Proactive not reactiveEmbrace Privacy By Design = Copyright © 2016 Symantec Corporation 17
- 18. Use a Data Governance Framework to Review your Programme Collect Process Retain & Secure Manage Define and Locate Personal Data Secure Technology that Collects Personal Data Record Consent from Data Subjects Detect and Block Threats to Data in Use Privacy Impact Assessments Validate Data Processors Restrict Processing of Data YOU have to Retain Prevent Data Loss Control Access to Data Protect Data at Rest Secure Transfer and Storage of Collected Data Risk Management of Info Lifecycle Validate Data Subjects Invoking Rights Educate DPOs on Cyber Risk Pseudonymisation and obfuscation of personal data Minimise, Anonymise, Erase Data Copyright © 2016 Symantec Corporation 18
- 19. 1000 800 600 400 200 0 Data Protection is a Tool for Risk Reduction Risk Reduction Over Time IncidentsPerWeek Visibility Remediation Notification Prevention 19 EU General Data Protection Regulation
- 20. What Good Data Governance brings to a company Reduce Costs Business Value from your Information Be Agile and Innovative Control Your DataKnow Your Data Agility 20 EU General Data Protection Regulation Mobile/BYOD/IoT Endpoints
- 21. Reducing Risk from Preparation to Response PREPARE PROTECT DETECT RESPOND Understand personal data & risk posture Protect personal data from malicious attack & misuse Provide rapid detection Understand impact of breach Respond efficiently & effectively to be compliant Mitigate risk Data Discovery and Privacy Impact Assessments Data Loss Prevention Risk Posture Assessment and Remediation Control Compliance Suite / Endpoint Management Information Protection and Governance Data Loss Prevention / Encryption / Authentication Threat Protection SEP / DCS / ATP / Email Security / Web Security Monitoring, Threat Intelligence and Cyber Expertise Cyber Security Services Advanced Persistent Threat Detection ATP / Unified Analytics Crisis Management and Incident Response Cyber Security Services Cyber Insurance Unified Analytics Cloud Data Risk Posture Assessment Elastica Data Encryption & Tokenization ProxySG, Cloud Data Protection Advanced Persistent Threat Detection SSL Visibility, CAS/MA, Security Analytics Incident Response and Network Forensics Security Analytics
- 22. Copyright © 2015 Symantec Corporation 22 How Can Symantec Help? NeedRealizationImplication Threat Protection (Keep the Bad Stuff Out) Information Protection (Keep the Good Stuff In) Compliance / IT GRC (Do the Right Thing) Breach is Inevitable Information is Now Everywhere Regulatory scope is expanding Expand from Protection (only) to Add Detection + Response Move Our Protection to Where Ever Information Flows Embed Governance Into the Security Program Copyright © 2016 Symantec Corporation 22
- 23. Thank you! Copyright © 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Presenter’s Name Presenter’s email Presenter’s phone Legal Disclaimer: The materials contained in this presentation are not intended to provide, and do not constitute or comprise, legal advice on any particular matter and are provided for general information purposes only. You should not act or refrain from acting on the basis of any material contained in this presentation, without seeking appropriate legal or other professional advice.
Notas do Editor
- Intended audience: enable sales to then talk to customers Strong data governance and information risk management is no longer a choice. The EU’s recent approval of the GDPR (General Data Protection Regulation) means there are tangible implications for businesses that do not comply with data privacy regulations. Information is now one of our most valuable assets and managing it well will provide a competitive advantage just as poor practices will lead to a negative brand reputation and business impact. Establishing a trusted reputation for data governance and data privacy will become increasingly important to businesses leaders. They will need to show that they make responsible use of personal data in their business and protect it from exploit or attack. Our lives are accelerating, party due to the ubiquitous use of mobile devices and the connected nature of the Internet of Things. Digital transformation doesn’t just increase the need for data privacy due to the creation of more data but also the challenge of protecting that data. The Symantec market leading Information Protection solutions help you locate and secure personal data so you know where your data is. Our Threat Protection solutions can prevent and detect the prevalent malicious attacks targeting sensitive data. Knowing where your data is and how to protect it will go a long way to help business achieve compliance.
- GDPR is all about data privacy. There are a number of drivers for privacy, of which the GDPR is just one. You need to get this right to protect your reputation with key stakeholders (eg press, consumers, customers, suppliers, vendors), and doing that can lead to new business opportunities for you. But it’s not easy. There are some challenges. Data is growing, it’s mobile, it’s stored in places you might not know about (the cloud) and also no-one owns it in your organisations. In parallel, data is valuable so at risk of theft by people both within and outside your organisation. Our ISTR research shows that 49% of data breaches are as a result of an external threat. So you need to look holistically at the issue. I said privacy is important to customers, let’s look at some research behind that. ------------------ If your business involves personal data then privacy needs to be at the core of your business in order to be successful. Historically, businesses have not always focused on privacy in the way that they should. However, increasingly if you don’t prioritise privacy it will impact your chances of success. There has been a framework and regulation around since the 1950s. Although privacy is a business issue, it’s also an emotive issue that can create an instinctive reaction in consumers. In countries like France and Germany privacy of their personal data is culturally important and failing to look after it can directly affect business. With the increase in breaches, the press headlines that brings and the impact of business reputation protecting the personal data of customers and employees has never been more important. However, we’re working in a world where there are inhibitors to that drive. We haven’t taken ownership of the data we have and it’s growing more as we adopt new technology such as IoT. We need to take ownership for our data and ensure that we protect privacy. The GDPR is an evolution not a revolution of the existing privacy framework to deal with the inhibitors to privacy whilst protecting EU citizens and residents from abuses which could arise. This makes IT security and risk management, protecting data whilst enabling the increasingly connected and digital part of the world. IT has never been more relevant to business. Under GDPR, the “drive for privacy” come first and foremost from: - the idea of privacy being a fundamental right (you can’t fool around with it or take it lightly) - the Accountability principle (you need to prove you do the right thing across the board) - the Privacy by Design principle (you need to build all your products in a certain way) - the Privacy by Default principle (you can only bring your products to market in a certain way) And only then can we go into technicalities like the security and breach notice components, or international data transfers for that matter.
- Our State of Privacy report shows that privacy is the most important factor when customers use products and services from an organisation. So you need to be able to both provide data security and demonstrate this to be successful. ------------------------------ Individuals care about privacy. Getting this right is essential to the success of the business. Getting privacy right will be a competitive advantage for a business, so it’s not just about complying with the regulation, a good privacy focus can provide a real competitive advantage to a business. This will also pass down through the supply chain. Even if your business doesn’t directly consume customer data a good privacy posture will be important in successfully fulfilling contracts with other companies.
- In the next few slides, lets look deeper at the GDPR, and cover: How it came about Timeline and next steps Scope High level requirements
- Key points The regulation is designed to harmonise data privacy legislation and have 1 common regulation across all 28 member states. This will provide a level playing field, but each country may start from a different place. Depending on the gap between the member state’s current implementation of the Directive and the Regulation there may be varying impact in different countries. The regulation was approved in April 2016 and will take force in 2018. Organisations need to prepare to comply. There is a difference between a Directive and a Regulation. Directive – Up to each country how they achieve the goal Regulation – Must be adopted in its entirety across the EU
- The GDPR covers these 4 important points, underpinned by the need to protect during the lifecycle. There are more elements than this but these 4 points will have the greatest impact on organisations. It defines what is personal data (see earlier) It explains when you have, or how you seek legal permission for processing data (eg ABC News asking readers to sign up for a newsletter, or collecting information on IP address for geographical analysis) Privacy needs to be embedded in the organisation (eg. ABC News has to think about the privacy of their subscribers whenever they develop new services) Data needs to be secured. (eg ABC News needs to implement controls to protect the personal data they store to prevent it being lost or stolen) -------------------
- We just said GDPR is underpinned by the lifecycle. Let’s look at the data governance lifecycle. Start with Collect: Do I have the right to collect data Process – what permission do I have. Remember this is specific, so I may need new permission to process data in a new way (eg ABC News collects data to send newsletter, they can’t automatically use that data to market a new event or publication) Retain and Secure – how you store data, for how long and the holistic steps you take to secure it Management – how you put the principles and policies relating to the cycle into practice. I.E. Do you have the processes in place and the mechanisms for the data subject to access their records and to change this including amending data records and requesting the deletion of records (right to be forgotten)
- What this mean for an organisation. We see four focus areas. Let’s look at each one in turn ----------------- Maybe this about the “business value from your information” point: It is very important to stress that GDPR is not something meant to prevent a company from building value from data, it is something that defines the rules of how you can build business value. If you do it by the rules, you will create sustainable value. If you don’t, you will be at risk of losing it all, and even much more.
- Starts with the DPO. Let’s look again at ABC Media. The DPO needs to demonstrate compliance. This needs to cover: Privacy by design PIA based on a risk approach (so frequency can vary). A Privacy Impact Assessment under GDPR needs to be done from the data subject’s perspective. It is supposed to evaluate the privacy risk to the individual and not the compliance risk to the company. Developing appropriate policy, process and tech Ensuring effective controls in place (that stand up to audit scrutiny)
- So let’s think ABC Media. (reorder circles) ABC Media decide to do a PIA and that identifies a need to Improve Security Req’s (circle 1) There are 2 elements of improvement needed. First Protection and Access control (Encryption and ID Mgt) circle 2. This will help reduce the consequence (impact) of a breach (if I can prove it was encrypted, I don’t need to say what I lost). They need to secure private data. There are exceptions in the law that makes “information security a legitimate interest” so people can use cybersecurity technologies to protect themselves and don’t need to ask the bad guys permission to store their data. And also a need for fast and effective detection and response (circle 5) to meet ‘obligation to notify of a breach within 72 hrs’. -------------------------
- We hear from customers a number of misconceptions or concerns around what this means for storing and transferring data. Let’s look at some of the myths and the reality The GDPR is not meant to prevent a company from building value from data, it is something that defines the rules of how you can build business value. If you do it by the rules, you will create sustainable value. If you don’t, you will be at risk of losing it all, and even much more.
- The max penalties are 4% of the global annual turnover or 20 million Euro, whichever is greater. Presence of national authorities makes enforcement more likely. The presence of EU coordinating mechanism makes enforcement on pan-european scale more likely Fines will apply when a company isn’t seen to have put the appropriate protection in place. - If you don’t put in place security, you expose yourself to penalties for non-compliance. - If you suffer a breach in spite of your best efforts and you report it, and if you can demonstrate the best efforts you made, you will not expose yourself to sanctions. - If you suffer a breach because of the lack of sufficient security, then you might be sanctioned, but again not because of the breach, but because of your failure to take adequate security measures. - However if you suffer a breach and you don’t report it, then you do expose yourself to the higher levels of sanction because of the deliberate decision not to comply. - And ultimately, you might think that reporting breaches is bad for your reputation, but you know what will be much much worse? Being caught in the act of trying to cover it up. And chances are you will be caught. And in that case, you’ll be under the heaviest sanctions permitted by the law.
- As per earlier comments, align the boxes on this graph to the boxes in the previous two slides. Also move “demonstrate compliance” from being a sub-box under “Manage” to the central piece at the heart of the cycle, since the ability to demonstrate compliance with every aspect is at the essence of accountability.
- Insurance can only help if you’ve done things right. They won’t pay out if you haven’t done the right thing.
- Proactive not Reactive; Do not wait for privacy risks to materialize, or offer remedies for resolving privacy infractions once they have occurred — aim to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after. Privacy as the Default Setting We can all be certain of one thing — the default rules! Privacy by Default seeks to deliver the maximum degree of privacy by ensuring that personal data is automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy — it is built into the system, by default. Privacy Embedded into Design Privacy by Design is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact. Full Functionality —Privacy by Design avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is possible to have both. Implement cyber security solutions that don’t undermine the privacy of your customers or employees. End-to-End Security — Protect information across it’s full lifecycle. Strong security measures are essential to privacy, from start to finish. This ensures that all data is securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by Design ensures cradle to grave, secure lifecycle management of information, end-to-end. Visibility and Transparency — Keep it Open Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to users and providers alike. Remember, trust but verify. Respect for User Privacy — Keep it User-Centric Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric. This is the mindset that must govern Privacy Impact Assessments.
- [FIRST EXPLAIN THE AXES] I want to show you the stages of risk reduction over time and how it looks for customers. At this point, you may be wondering: what’s the best way to get started with DLP? In working with our customers over the years, we’ve developed a proven methodology for measurably reducing their data loss risk. It’s made up of four key stages: visibility, remediation, notification, and prevention. Visibility One of the biggest challenges is gaining visibility into where data loss risk is. As mentioned earlier, broken business processes are a primary culprit of data loss. With our customizable reporting and dashboards, we can help you identify your exposed areas, broken business processes and high risk users through a single pane of glass. Other vendors stop here and dump a bunch of incidents on your desk. Once you have them, you need to aggregate and correlate them to understand where the broken business processes are that lead to the incidents in the first place. During the baseline step, the goal is to gain visibility into what’s going on within your organization. Esurance, an online auto insurance company, is using Symantec DLP to protect hundreds of thousands of CCNs and SSNs. Their primary concern was mobile employees copying sensitive data from their laptops onto USBs and CD/DVDs. Using Symantec DLP, they were able to establish a baseline to understand what was going on and then see how claim reps were creating a lot of incidents, just to get their work done while on the road. Our customers tell us that finding incidents is just the first step. The real work of fixing incidents is what really begins to successfully reduce the risk of data loss. Remediation Once you know what business processes are broken and who your top offenders are, you need to start remediation. Our customers have told us that 90% of DLP is about what you do after you find incidents. With Symantec DLP, you can set up custom workflow paths and remediation responses based on severity to make sure the right action is taken at the right time. One of our customers is a large regional healthcare provider who has been using Symantec DLP since 2006. They have over 16,000 employees and 4,200 doctors across 7 hospitals. Their CIO and CISO made DLP a top priority because they needed to protect millions of patient and employee health information – including SSNs, CCNs and medical record numbers – and demonstrate compliance with HIPAA and PCI. They found that doctors were the biggest offenders – sending sensitive patient information to their webmail. As a result, they were able to target their security training and awareness programs and drove down their risk by 70%. Notification Notification is one of the single biggest contributors to reducing risk. By notifying employees right away to alert them of inappropriate use you can instantly educate them on security policies. With Symantec DLP, one of our Fortune 100 insurance customers saw an 80% risk reduction in 20 days by turning on automated sender notification. Over 90% of their first time offenders did not have a repeat offense after they turned on real-time notifications. They changed employee behavior and, as a result, reduced the workload for their incident response team. Prevention With visibility, remediation, notification, you will whittle down the number of incidents. The last step in the methodology is prevention, which is stopping data from inappropriately leaving your network. One of our Fortune 1000 customers saw a 97% risk reduction due to by fingerprinting every U.S. citizen’s SSN and PII. When a certain combination of SSn and other PII was detected, they blocked email and web communications. They quarantined emails and exposed files; they routed messages to encryption gateway which automatically enforced their encryption policies. In summary they stopped data from leaving. Conclusion In summary, Symantec DLP can significantly reduce your company’s overall risk of data loss. We help security teams enable the business side by educating employees, fixing broken business processes, and supporting business activity to occur securely.
- Business Value Know where your information is and it’s healthy You’re confident you have the right to use it Build your brand for privacy with your customers Reduce costs Streamline operations for projects such as data migration, cloud storage, permissions clean-up etc. Automate information processing and documentation Be Agile Be more informed about your information Make better business decisions